Infection Chain

The infection chain started off with a decoy site that contained an iframe pointing to the URL guerritor.info/banners/uaps?. Typically a user would be redirected to these decoy sites through malvertising.

The GET request for guerritor.info/banners/uaps? returns a version of RIG’s pre-landing page. This pre-landing page contains script that fingerprints the system as well as the URL for the RIG exploit kit landing page. Below is an snippet of the pre-landing page:

If everything checks out the script tells the host to make a POST request for the landing page.

After the Flash exploit is when the malware payload is dropped and executed in %Temp%:

The executable js1jq4ly.exe is copied over to C:\Users\<User>\AppData\Roaming\catskend\ as docpDump.exe:

The bot checks-in with the CnC server at 158.69.176.173/images/[removed]/.avi. We then see the GET request for the Tor client currently being hosted at 158.69.176.173/tor/t64.dll. The server will return /tor/t64.dll if the host OS is 64-bit and t32.dll if it is 32-bit.

When the Tor client is retrieved from 158.69.176.173 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\<random GUID>:

This key contains the path to the client, which is dropped in the %Temp% folder, with a filename using the pattern [A-F0-9]{4}.bin. In this case that file was F464.bin (3,088 KB).

According to Proofpoint, the Tor-enabled version of Dreambot has been active since at least July 2016.

Persistence used at HKCU\Software\Microsoft\Windows\CurrentVersion\Run: